Digital Forensics: More Than Meets The Eye

With the increasing rate of cybercrime during the last few years, it has become necessary for enterprises, government and law enforcement agencies to adopt digital forensics tools to assist them during an investigation. Many organizations have experienced cybercrime incidents.   Whether internal or external, an incident should be investigated thoroughly to identify as much evidence as possible. Organizations should be prepared for any cybercrime event by establishing an internal Incident Response process and Digital Forensics procedures in accordance to the chain of custody rule.

It is important that organizations do not overlook computer related evidence during an investigation. Digital Forensics professionals can recover key data from computer media easily. With large volumes of data in today’s corporate environment, it would not be practical to use the human eye alone to identify evidence. With any investigation, timing and more importantly attention to detail is critical to the success of an investigation. Digital Forensic Tools can help investigators locate key electronic data with speed and accuracy. These tools can make the job of an investigator easier. Searching for the ‘needle in the haystack’ becomes easier with advanced processing capabilities of Digital Forensic tools.  Tasks such as recovering deleted files, searching for keywords, sorting out emails, reviewing the internet browsing history, analyzing video, audio files or digital images become easier. For an investigator, developing a timeline of events that preceded an incident is important especially in the cause of a data breach. Digital Forensics tools can retrieve this data to be presented to management, regulators or in a court of law.

As an example, when a case of internal fraud occurs, it is important to thoroughly investigate electronic evidence related to a suspected employee. The intent of an investigator is not to prove guilt or innocence but rather present evidence which establishes facts. Overlooking a suspected employee’s computer can potentially lead an organization to miss out on valuable evidence. Is there any digital evidence that exonerates an employee and proves them to be innocent? Was there any data theft committed? Were any third parties involved in the fraud? Are there any relevant electronic communication between the suspected employee and others in the organization related to the incident? Was the computer hacked by outsiders and used to commit a crime? What were the timeline of events that lead to the incident? What vulnerabilities or risks were exploited or bypassed during the incident? Digital Forensic Tools can help answer these and other questions about an incident in an efficient and easy manner.

Organizations should not wait until an incident occurs to plan their digital forensics process. Not all organizations need to hire an internal Digital Forensics Professional, however a process should be developed where digital forensics service providers can be reached at a moment’s notice. When an incident occurs, the need for speed, attention to detail and proper digital forensic tools should be readily available to an organization. Dismissing or overlooking digital evidence presents many risk to an organization including the possibility of further incidents, legal liability, financial loss and many questions that might be left unanswered.